Unable to connect to VPN that require CSD

[Mucka]

I am trying to connect to the VPN that require CSD, although whole process goes perfect (with --no-sandbox chromium engine flag), in the end VPN refuses to connect because CSD fails. How should I enable CSD in openconnect?

$ openconnect-sso --server vpn.xx.com --user "xxx.yyy@xxx.com" --authgroup "xxx-xxx" -l DEBUG -- --csd-wrapper=csd-post.sh --protocol=anyconnect
...
[debug    ] Auth finish response received  [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<opaque is-for="sg">\n<tunnel-group>xxx-ssl-vpn-grp</tunnel-group>\n<auth-method>single-sign-on-v2</auth-method>\n<group-alias>xxx-xxx</group-alias>\n<config-hash>XXXXXXXXX</config-hash>\n</opaque>\n<auth id="main">\n<title>Login</title>\n<message>Please enter your username and password.</message>\n<banner></banner>\n<error id="13" param1="" param2="">Unable to complete connection: Cisco Secure Desktop not installed on the client</error>\n<form>\n<select name="group_list" label="GROUP:">\n<option selected="true">xxx-xxx</option>\n</select>\n</form>\n</auth>\n<host-scan>\n<host-scan-ticket>XXXXXXXXXXXXXXXXX</host-scan-ticket>\n<host-scan-token>XXXXXXXXXXXXXXXXXXXXXXX</host-scan-token>\n<host-scan-base-uri>/CACHE</host-scan-base-uri>\n<host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>\n</host-scan>\n</config-auth>\n'
[error    ] Required attributes not found in response ("no such child: sso-v2-login", does this endpoint do SSO?), exiting [openconnect_sso.app]

[Beej126]

see #35. it seems CSD must be performed within openconnect-sso's flow and some of us have been successful in doing it that way, by sending back a previously captured flat text CSD response via openconnect-sso builds tweaked to support this.

[Mucka]

I am not able to select host in Cisco AnyConnect Client. Even if I unmatch "Block connections to untrusted servers". I tried to use /etc/hosts but warning message appears AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy.. I tried to reroute VPN IP address using firewall NAT rules on router. But the same message appears : <

[Beej126]

@Mucka I am not able to select host in Cisco AnyConnect Client...

it took me a sec to realize you're working on capturing your anyconnect hostscan response via the local proxy tool... it's been so long since i did that i don't remember why i wasn't prevented in the same way because that sounds like an obvious barrier to have in place... you could indeed be stuck... you could see if the hostscan file i shared in my readme is enough, there is nothing sensitive in there... you might get lucky... or maybe try an older version of anyconnect client that doesn't have that continuity check in place... i'm pretty sure i was running 4.9.06037

[Mucka]

I took me a while, but I was able to obtain hostscan-bypass.sh. This issue helped, i had to create config.json with empty cert and add -c config.json to hostscan-bypass, then finally using router firewall nat I had rewritten VPN ip address to local one and generated hostscan-bypass.sh! I manually converted this file to hostscan-data following your format and it is working! Thank you very much! I had used your fork.!

[Beej126]

@Mucka - very cool. way to persevere. and good on you for sharing your notes.

[adminy]

Its possible to get this working on linux-64 hosts also.

<error id="13" param1="" param2="">
  Unable to complete connection: Cisco Secure Desktop not installed on the client
</error>

Also tried the hostscan-bypass method, created a PR to be able to do this.

Solved it with https://github.com/vlaci/openconnect-sso/pull/181